I find that I need to enable the following option in my testing of the possible replacement of MEDTLS with WolfSSL, otherwise I get an "ASN no signer to confirm" error: WOLFSSL_ALT_CERT_CHAIN allows CA's to be presented by peer, but not part of a valid chain. Default wolfSSL behavior is to require validation of all presented peer certificates. This also allows loading intermediate CA's as trusted and ignoring no signer failures for CA's up the chain to root. The alternate certificate chain mode only requires that the peer certificate validate to a trusted CA. Is that expected for the trust arrangements we are using? A possibly related question: do we expect the server to validate clients, or only the clients to validate the server? -- Steve